package se.swedenconnect.opensaml.xmlsec;

import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import java.security.Key;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.saml.saml2.metadata.EncryptionMethod;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.saml.security.impl.SAMLMDCredentialContext;
import org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.EncryptionParameters;
import org.opensaml.xmlsec.algorithm.AlgorithmDescriptor;
import org.opensaml.xmlsec.algorithm.AlgorithmRegistry;
import org.opensaml.xmlsec.keyinfo.KeyInfoGenerator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.swedenconnect.opensaml.xmlsec.algorithm.ExtendedAlgorithmSupport;
import se.swedenconnect.opensaml.xmlsec.encryption.ConcatKDFParams;
import se.swedenconnect.opensaml.xmlsec.encryption.KeyDerivationMethod;
import se.swedenconnect.opensaml.xmlsec.encryption.support.ConcatKDFParameters;
import se.swedenconnect.opensaml.xmlsec.encryption.support.ECDHSupport;
import se.swedenconnect.opensaml.xmlsec.encryption.support.EcEncryptionConstants;

/* loaded from: input_file:se/swedenconnect/opensaml/xmlsec/ExtendedSAMLMetadataEncryptionParametersResolver.class */
public class ExtendedSAMLMetadataEncryptionParametersResolver extends SAMLMetadataEncryptionParametersResolver {
    private Logger log;
    private ExtendedEncryptionParametersResolver realSuper;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:se/swedenconnect/opensaml/xmlsec/ExtendedSAMLMetadataEncryptionParametersResolver$ResolvedKeyTransport.class */
    public static class ResolvedKeyTransport {
        private String algorithm;
        private EncryptionMethod encryptionMethod;
        private Credential credential;

        public ResolvedKeyTransport() {
        }

        public ResolvedKeyTransport(String str, EncryptionMethod encryptionMethod, Credential credential) {
            this.algorithm = str;
            this.encryptionMethod = encryptionMethod;
            this.credential = credential;
        }

        public String getAlgorithm() {
            return this.algorithm;
        }

        public EncryptionMethod getEncryptionMethod() {
            return this.encryptionMethod;
        }

        public Credential getCredential() {
            return this.credential;
        }
    }

    public ExtendedSAMLMetadataEncryptionParametersResolver(MetadataCredentialResolver metadataCredentialResolver) {
        super(metadataCredentialResolver);
        this.log = LoggerFactory.getLogger(ExtendedSAMLMetadataEncryptionParametersResolver.class);
        this.realSuper = new ExtendedEncryptionParametersResolver();
    }

    protected void resolveAndPopulateCredentialsAndAlgorithms(@Nonnull EncryptionParameters encryptionParameters, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        CriteriaSet criteriaSet2 = new CriteriaSet();
        criteriaSet2.addAll(criteriaSet);
        criteriaSet2.add(new UsageCriterion(UsageType.ENCRYPTION), true);
        try {
            for (Credential credential : getMetadataCredentialResolver().resolve(criteriaSet2)) {
                if (this.log.isTraceEnabled()) {
                    Key extractEncryptionKey = CredentialSupport.extractEncryptionKey(credential);
                    this.log.trace("Evaluating key transport encryption credential from SAML metadata of type: {}", extractEncryptionKey != null ? extractEncryptionKey.getAlgorithm() : "n/a");
                }
                SAMLMDCredentialContext sAMLMDCredentialContext = (SAMLMDCredentialContext) credential.getCredentialContextSet().get(SAMLMDCredentialContext.class);
                Pair resolveDataEncryptionAlgorithm = resolveDataEncryptionAlgorithm(criteriaSet, predicate, sAMLMDCredentialContext);
                ResolvedKeyTransport resolveKeyTransport = resolveKeyTransport(credential, criteriaSet2, predicate, (String) resolveDataEncryptionAlgorithm.getFirst(), sAMLMDCredentialContext);
                if (resolveKeyTransport.getAlgorithm() != null) {
                    encryptionParameters.setKeyTransportEncryptionCredential(resolveKeyTransport.getCredential());
                    encryptionParameters.setKeyTransportEncryptionAlgorithm(resolveKeyTransport.getAlgorithm());
                    encryptionParameters.setDataEncryptionAlgorithm((String) resolveDataEncryptionAlgorithm.getFirst());
                    resolveAndPopulateRSAOAEPParams(encryptionParameters, criteriaSet, predicate, resolveKeyTransport.getEncryptionMethod());
                    processDataEncryptionCredentialAutoGeneration(encryptionParameters);
                    return;
                }
                this.log.debug("Unable to resolve key transport algorithm for credential with key type '{}', considering other credentials", CredentialSupport.extractEncryptionKey(credential).getAlgorithm());
            }
        } catch (ResolverException e) {
            this.log.warn("Problem resolving credentials from metadata, falling back to local configuration", e);
        }
        this.log.debug("Could not resolve encryption parameters based on SAML metadata, falling back to locally configured credentials and algorithms");
        this.realSuper.resolveAndPopulateCredentialsAndAlgorithms(encryptionParameters, criteriaSet, predicate);
    }

    protected ResolvedKeyTransport resolveKeyTransport(@Nonnull Credential credential, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate, @Nullable String str, @Nullable SAMLMDCredentialContext sAMLMDCredentialContext) {
        Pair resolveKeyTransportAlgorithm = super.resolveKeyTransportAlgorithm(credential, criteriaSet, predicate, str, sAMLMDCredentialContext);
        if (resolveKeyTransportAlgorithm.getFirst() != null) {
            return new ResolvedKeyTransport((String) resolveKeyTransportAlgorithm.getFirst(), (EncryptionMethod) resolveKeyTransportAlgorithm.getSecond(), credential);
        }
        if (!ExtendedAlgorithmSupport.peerCredentialSupportsKeyAgreement(credential)) {
            return new ResolvedKeyTransport();
        }
        String resolveKeyWrappingAlgorithm = resolveKeyWrappingAlgorithm(credential, criteriaSet, predicate, sAMLMDCredentialContext);
        if (resolveKeyWrappingAlgorithm == null) {
            this.log.debug("No key wrapping algorithm could be resolved - can not perform key agreement for credential of type '{}'", CredentialSupport.extractEncryptionKey(credential).getAlgorithm());
            return new ResolvedKeyTransport();
        }
        Pair<String, KeyDerivationMethod> resolveKeyAgreementAlgorithm = resolveKeyAgreementAlgorithm(credential, criteriaSet, predicate, sAMLMDCredentialContext);
        if (resolveKeyAgreementAlgorithm == null) {
            this.log.debug("No key agreement algorithm could be resolved - can not perform key agreement for credential of type '{}'", CredentialSupport.extractEncryptionKey(credential).getAlgorithm());
            return new ResolvedKeyTransport();
        }
        try {
            return new ResolvedKeyTransport(resolveKeyWrappingAlgorithm, null, ECDHSupport.createKeyAgreementCredential(credential, resolveKeyWrappingAlgorithm, (KeyDerivationMethod) resolveKeyAgreementAlgorithm.getSecond()));
        } catch (SecurityException e) {
            this.log.error("Failed to get a key agreement credential using '{}' ({}) - {}", new Object[]{EcEncryptionConstants.ALGO_ID_KEYAGREEMENT_ECDH_ES, EcEncryptionConstants.ALGO_ID_KEYDERIVATION_CONCAT, e.getMessage(), e});
            return new ResolvedKeyTransport();
        }
    }

    protected String resolveKeyWrappingAlgorithm(@Nonnull Credential credential, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate, @Nullable SAMLMDCredentialContext sAMLMDCredentialContext) {
        if (sAMLMDCredentialContext != null) {
            Iterator it = sAMLMDCredentialContext.getEncryptionMethods().iterator();
            while (it.hasNext()) {
                AlgorithmDescriptor algorithmDescriptor = getAlgorithmRegistry().get(((EncryptionMethod) it.next()).getAlgorithm());
                if (algorithmDescriptor != null && ExtendedAlgorithmSupport.isKeyWrappingAlgorithm(algorithmDescriptor)) {
                    if (Predicates.and(getAlgorithmRuntimeSupportedPredicate(), predicate).apply(algorithmDescriptor.getURI())) {
                        this.log.debug("Found key wrapping algorithm '{}' under EncryptionMethod for credential of type '{}'", algorithmDescriptor.getURI(), CredentialSupport.extractEncryptionKey(credential).getAlgorithm());
                        return algorithmDescriptor.getURI();
                    }
                    this.log.debug("Key wrapping algorithm '{}' found under EncryptionMethod for credential of type '{}' is not allowed according to white/black list configuration", algorithmDescriptor.getURI(), CredentialSupport.extractEncryptionKey(credential).getAlgorithm());
                }
            }
        }
        this.log.debug("No key wrapping algorithm specified under EncryptionMethod for credential of type '{}' - trying local configuration", CredentialSupport.extractEncryptionKey(credential).getAlgorithm());
        Stream stream = getEffectiveKeyTransportAlgorithms(criteriaSet, predicate).stream();
        AlgorithmRegistry algorithmRegistry = getAlgorithmRegistry();
        algorithmRegistry.getClass();
        String str = (String) stream.map(algorithmRegistry::get).filter(ExtendedAlgorithmSupport::isKeyWrappingAlgorithm).map((v0) -> {
            return v0.getURI();
        }).findFirst().orElse(null);
        if (str != null) {
            this.log.debug("Found key wrapping algorithm '{}' in local configuration", str);
        } else {
            this.log.debug("No key wrapping algorithm was found in metadata or local configuration");
        }
        return str;
    }

    protected Pair<String, KeyDerivationMethod> resolveKeyAgreementAlgorithm(@Nonnull Credential credential, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate, @Nullable SAMLMDCredentialContext sAMLMDCredentialContext) {
        String str = null;
        KeyDerivationMethod keyDerivationMethod = null;
        if (sAMLMDCredentialContext != null) {
            Iterator it = sAMLMDCredentialContext.getEncryptionMethods().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                EncryptionMethod encryptionMethod = (EncryptionMethod) it.next();
                AlgorithmDescriptor algorithmDescriptor = getAlgorithmRegistry().get(encryptionMethod.getAlgorithm());
                if (algorithmDescriptor != null && ExtendedAlgorithmSupport.isKeyAgreementAlgorithm(algorithmDescriptor)) {
                    str = algorithmDescriptor.getURI();
                    this.log.debug("Found key agreement algorithm '{}' under EncryptionMethod for credential of type '{}'", str, CredentialSupport.extractEncryptionKey(credential).getAlgorithm());
                    Stream stream = encryptionMethod.getUnknownXMLObjects(KeyDerivationMethod.DEFAULT_ELEMENT_NAME).stream();
                    Class<KeyDerivationMethod> cls = KeyDerivationMethod.class;
                    KeyDerivationMethod.class.getClass();
                    keyDerivationMethod = (KeyDerivationMethod) stream.map((v1) -> {
                        return r1.cast(v1);
                    }).findFirst().orElse(null);
                    if (keyDerivationMethod != null) {
                        this.log.debug("KeyDerivationMethod '{}' was found under EncryptionMethod for '{}' for credential of type '{}'", new Object[]{keyDerivationMethod.getAlgorithm(), str, CredentialSupport.extractEncryptionKey(credential).getAlgorithm()});
                        if (EcEncryptionConstants.ALGO_ID_KEYDERIVATION_CONCAT.equals(keyDerivationMethod.getAlgorithm()) && keyDerivationMethod.getUnknownXMLObjects(ConcatKDFParams.DEFAULT_ELEMENT_NAME).isEmpty()) {
                            this.log.debug("ConcatKDFParams not specified in metadata - will look for it in local configuration");
                        }
                        return new Pair<>(str, keyDerivationMethod);
                    }
                    this.log.debug("No KeyDerivationMethod was found under EncryptionMethod for '{}' for credential of type '{}'", algorithmDescriptor.getURI(), CredentialSupport.extractEncryptionKey(credential).getAlgorithm());
                }
            }
        }
        if (str == null) {
            this.log.debug("No key agreement algorithm specified under EncryptionMethod for credential of type '{}' - trying local configuration", CredentialSupport.extractEncryptionKey(credential).getAlgorithm());
        } else {
            this.log.debug("Key agreement algorithm '{}' was specified under EncryptionMethod for credential of type '{}' - trying local configuration to find KeyDerivationMethod", str, CredentialSupport.extractEncryptionKey(credential).getAlgorithm());
        }
        if (str == null) {
            List<String> effectiveKeyAgreementMethods = this.realSuper.getEffectiveKeyAgreementMethods(criteriaSet, predicate);
            if (effectiveKeyAgreementMethods.isEmpty()) {
                this.log.debug("No key agreement algorithms found in local configuration");
                return null;
            }
            this.log.debug("Key agreement algorithm(s) {} resolved from local configuration, using '{}'", effectiveKeyAgreementMethods, effectiveKeyAgreementMethods.get(0));
            str = effectiveKeyAgreementMethods.get(0);
        }
        if (keyDerivationMethod == null) {
            List<String> effectiveKeyDerivationAlgorithms = this.realSuper.getEffectiveKeyDerivationAlgorithms(criteriaSet, predicate);
            if (effectiveKeyDerivationAlgorithms.isEmpty()) {
                this.log.debug("No key derivation methods found in local configuration");
                return null;
            }
            this.log.debug("Key derivation method(s) {} resolved from local configuration, using '{}'", effectiveKeyDerivationAlgorithms, effectiveKeyDerivationAlgorithms.get(0));
            keyDerivationMethod = (KeyDerivationMethod) XMLObjectSupport.buildXMLObject(KeyDerivationMethod.DEFAULT_ELEMENT_NAME);
            keyDerivationMethod.setAlgorithm(effectiveKeyDerivationAlgorithms.get(0));
        }
        if (EcEncryptionConstants.ALGO_ID_KEYDERIVATION_CONCAT.equals(keyDerivationMethod.getAlgorithm()) && keyDerivationMethod.getUnknownXMLObjects(ConcatKDFParams.DEFAULT_ELEMENT_NAME).isEmpty()) {
            ConcatKDFParameters concatKDFParameters = this.realSuper.getConcatKDFParameters(criteriaSet, predicate);
            if (concatKDFParameters == null) {
                this.log.info("Could not get ConcatKDFParams for '{}' from local configuration", EcEncryptionConstants.ALGO_ID_KEYDERIVATION_CONCAT);
                return null;
            }
            keyDerivationMethod.getUnknownXMLObjects().add(concatKDFParameters.toXMLObject());
        }
        return new Pair<>(str, keyDerivationMethod);
    }

    @Nullable
    protected KeyInfoGenerator resolveKeyTransportKeyInfoGenerator(@Nonnull CriteriaSet criteriaSet, @Nullable Credential credential) {
        return this.realSuper.resolveKeyTransportKeyInfoGenerator(criteriaSet, credential);
    }

    public void setAlgorithmRegistry(AlgorithmRegistry algorithmRegistry) {
        super.setAlgorithmRegistry(algorithmRegistry);
        this.realSuper.setAlgorithmRegistry(algorithmRegistry);
    }

    public void setAutoGenerateDataEncryptionCredential(boolean z) {
        super.setAutoGenerateDataEncryptionCredential(z);
        this.realSuper.setAutoGenerateDataEncryptionCredential(z);
    }

    public void setUseKeyAgreementDefaults(boolean z) {
        this.realSuper.setUseKeyAgreementDefaults(z);
    }
}
